[8471] in bugtraq

home help back first fref pref prev next nref lref last post

Re: tcpd -DPARANOID doesn't work, and never did

daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Mon Nov 9 21:30:56 1998

Date: 	Tue, 10 Nov 1998 01:07:14 -0000
Reply-To: "D. J. Bernstein" <djb@CR.YP.TO>
From: "D. J. Bernstein" <djb@CR.YP.TO>
To: BUGTRAQ@NETSPACE.ORG

The subject line is correct exactly as stated. -DPARANOID does not
improve your computer's security. It has never improved anybody's
computer security.

System administrators who thought that they were protecting themselves
with -DPARANOID were actually deceiving themselves. As I said before,
all of those systems were vulnerable until the vendors fixed the
hostname lookups in rshd and rlogind.

Wietse Venema writes:
> First of all, whether or not the attack fails depends on the BIND
> version being used; for example, the once widely-used BIND 4.8
> forces the TTL to be at least five minutes, stopping the attack.

No, it does not stop the attack. Let's go back to the videotape:

   0:00 Attacker connects to tcpd/rshd. ``Heh, heh, heh.''
   0:01 Local DNS server asks for PTR result.
   0:02 Attacker sends back untrusted.badguy.com, 5-minute TTL.
   0:03 Local DNS server asks for A records.
   0:10 Attacker pours a cup of coffee, laughs at the tcpd code.
   4:55 Attacker connects to tcpd/rshd again.
   4:56 Local DNS server asks for A records.
   5:04 Attacker sends back his IP address. ``That's me!''
   5:05 Local DNS server asks for PTR result. ``I love caches.''
   5:06 Attacker sends back trusted.toast.edu.
   5:07 rshd accepts connection. ``Elementary, my dear Wietse.''

Exercise for the reader: Find two faster solutions.

> Secondly, it depends on what native naming service the system uses.
> Naming services such as NIS have their own cacheing mechanisms,
> stopping the attack.

No, they do not stop the attack. You're making a fool of yourself.

> You can immunize BIND against this and other short TTL attacks by
> patching the source or the executable file so that min_cache_ttl
> is, for example, 300 seconds. That is sufficient to stop the attack.

No, that does not stop the attack. See above.

> Lastly, I'm responsible only for bugs in my own code.

You told system administrators, wrongly, that you were protecting them.
You're responsible for that false claim. How many people relaxed after
installing tcpd -DPARANOID, instead of pestering their vendors for a
real fix?

You've done enough damage. Admit your mistake and turn off -DPARANOID.

---Dan
1000 recipients, 28.8 modem, 10 seconds. http://pobox.com/~djb/qmail/mini.html

home help back first fref pref prev next nref lref last post